Welcome to the CSAE Blog

Top Application Security Threats, and the Best Ways to Counter Them

To drive effective outreach and improve donor targets each year, not-for-profits must be willing to live -- and work -- in the 21st century. This means relying on both web- and cloud-based applications to streamline social campaigns, align donor objectives and communicate organizational goals among executives. Also critical is managing the publicity, timing, and scheduling of large-scale events such as conferences, presentations, or Q&A sessions.

Not-for-profits must also recognize the potential risk of these same web and cloud applications -- motivated "hacktivists" and cybercriminals looking to test their latest malware creation often target small businesses or not-for-profits because these organizations typically don't spend as much on robust and reliable digital security. And with so many applications re-using open source code, it's easy for attackers to find and exploit common flaws, then compromise not-for-profits networks.

Here's a look at some of the top risks to not-for-profits, how they impact applications, and what steps your organization can take to improve digital defense.

Threat Vectors

It's easy to consider yourself uninteresting to hackers -- what do they want with your marketing materials, fundraising plans, and conference details? But you're sitting on valuable data such as donor information and histories, and often represent a low-risk attack vector for cybercriminals since you're not on the lookout for suspicious activity.

Consider the sheer number of applications used by not-for-profits for day-to-day business, everything from social media tools, such as RiteTag to track the effectiveness of hashtags, to video editing tools such as Replay for marketing campaigns, to Humanity, an HR app designed to help track employee hours and manage scheduling. In addition, not-for-profits may turn to small developers when they need an app to handle conference or event scheduling -- development teams are often willing to provide their services at a reduced rate for the right cause.

The result? While these applications form the foundation of not-for-profit digital efforts, they're also prone to compromise or failure when targeted by malicious actors.

Top Tactics

How are hackers gaining access to your applications?

First is user insecurity. Familiar with smartphones and social tools, employees and volunteers may accidentally share confidential information over social sites, or log in to corporate networks while on insecure connections. Application security education is essential to help limit the chance for compromise.

Another potential path to compromise is apps that haven't been properly tested. Consider this: you hire a developer to create a mobile-native conference scheduling app. The developer offers a reduction on its usual rate, and delivers the finished product ahead of schedule -- but how was the app tested? Did developers take the time to break, fix and break the app again? If not, it's worth hiring a third-party testing provider to ensure your application isn't rolling out the red carpet for hackers.

Hackers may also leverage more advanced techniques including:

Distributed Denial of Service (DDoS) -- Here, attackers flood your applications with access requests or random traffic, and force them to shut down. While there's not much you can do to prevent these attacks, it's critical to recognize the signs of sudden network traffic spikes, shut down apps immediately and assess the damage.

SQL Injection and XSS Attacks -- SQL stands for "structured query language" and is a popular way to retrieve information from databases. If request parameters aren't limited, it's possible for attackers to exploit common weaknesses and compromise your database. XSS, meanwhile, is shorthand for cross-site scripting, which sees hackers trying to "inject" new commands into websites or applications, and take control. Security policies that limit Web script permissions can help mitigate this issue.

Stock APIs -- Application programming interfaces (APIs) govern how apps communicate and interact with each other. The problem is 65 percent of companies say they have no process for API control. If your app is built with stock APIs that hackers can exploit, you may be at risk.

Not-for-profits aren't immune to cybersecurity attacks. Every web application and every cloud service represents a potential point of compromise -- limit your risk by learning more about the top application threats and how to counter their impact.

Being prepared to fight off hackers means having appropriate processes and policies in place. In his book, The Complementary Model of Board Governance, Tom Abbott with policy-based management and governance in not-for-profit organizations. The insight provided will help not-for-profits roll-out policies that enable them to work with contracted resources addressing their security threats.

Tags

Categories

About the Author

The Canadian Society of Association Executives welcomes input from its membership and other stakeholders in the association sector. We have opened our blog to such contributors to share their expertise by voicing their opinions on relevant topics via the CSAE blog. We thank all such guest contributors for sharing their time and experiences.

The Tea and Herbal Association of Canada evolved their TEA SOMMELIER® Certification program from an in-class local program serving approximately 10 students per session to a global online course that ...

Association governance issues arise and are worsened by a number of issues, but identity confusion among board members is common and dominant in many associations. What can be done to keep the ship on...

Leigh Wintz of Tecker International LLC provides advice on keeping your board meetings both effective and engaging. See more from her and Glenn Tecker at the 2017 CSAE Symposium for Chief Staff and Ch...

Association governance issues arise and are worsened by a number of issues, but identity confusion among board members is common and dominant in many associations. What can be done to keep the ship on...

Leigh Wintz of Tecker International LLC provides advice on keeping your board meetings both effective and engaging. See more from her and Glenn Tecker at the 2017 CSAE Symposium for Chief Staff and Ch...

Trying to find volunteers to fill out empty roles in your organization can be difficult, so be certain you are exploring all avenues and aspects of the role and relationship volunteer opportunities en...

Are aging demographics at the top of the not-for-profit sector making it difficult for your association to speak to the people you need to? Find out what can be done against such gatekeeper communicat...